Adobe Works With Google to Improve Security of Flash

Adobe Flash was recently the target of a number of zero day attacks that led Mozilla to disable the media player in the Firefox web browser. As part of an effort to fix the bugs and improve security against future attacks, Adobe has worked with Google's Project Zero. As part of the effort the team has "managed to make structural changes to the way its program interacts with an operating system." The two main changes were the addition of a new partition to heap memory and the requirement for a validation key before modifying Vector objects. The patch was applied in Flash version v18.0.0.209 and the company recommends getting the 64-bit version of Chrome when using a 64-bit OS. Google researchers described the effort stating, "It's a cat-and-mouse-game, but we'll be looking out for attackers' attempts to adapt, and devising further mitigations based on what we see. Perhaps more importantly, we're also devising a next level of defences based on what we expect we might see. Our partitioning mitigation is far from finished. We'll be analysing object types to see what else might benefit from partitioning, and moving forward incrementally."